<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<blockquote
cite="mid:CAJKgmrXiZYo4g5aPuWUtectyApnP6HeEWGjiBGnv+JSHo0YEZw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Obviously if this is a permanent situation, the rule
should be disabled and removed, but in the case of a
temporary error on the HTTPS side, I'd be very nervous
about automatically removing a layer of security.</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>Oh definitely -- I was thinking @jsha's proposal was on
the development / codebase side, not client extension
side. Though maybe things change so rarely it makes sense
to manually validate all disabled rules.<br>
</div>
</div>
</div>
</div>
</blockquote>
Exactly, this would be a measure that would be applied during
development.<br>
<br>
Definitely we would want a mechanism to distinguish transient
failures from permanent ones, and we might want to manually review
removals depending on how much volume we get. Certainly we would
want to review all the disabled rules before doing a release, and
notify the maintainer. But if an attacker is willing to block HTTPS
to a site from the perspective of our test machine *and* from the
perspective of a maintainer, I don't think we can reasonably
distinguish that from the site actually being broken for HTTPS.<br>
</body>
</html>